Am 25.11.2013 17:14, schrieb Sassan Panahinejad: > Hi, > > I am dealing with a CA certificate bundle, similar to this one: > https://github.com/twitter/secureheaders/blob/master/config/curl-ca-bundle.crt, > like the example, the one I am dealing with was automatically generated > from mozilla's certdata.txt. > > Consider the certificate labelled "Bogus live.com <http://live.com>". > Now I know from some searching that this certificate is intended to > block a bad certificate, but I don't know how this works in an openssl > cert bundle. I am concerned that perhaps the conversion from the format > used by mozilla has lead to the certificate being included as a trusted > cert instead of an explicitly untrusted one.
The file contains certs that are not suitable for TLS web server authentication. Most scripts for NSS certdata.txt are plain wrong and don't handle the trust settings properly (or not at all). Adam Langley as written a blog posting about the issue almost two years ago [1]. He also wrote a golang program that handles the trust settings correctly. I recently fixed that script to grab and dump the latest certdata database correctly. I suggest that you use Adam's script. A couple of months ago I fixed curl's script [2] and made an attempt to fix Ubuntu's cert list [3] ... the latter it's still broken. :( Christian [1] https://www.imperialviolet.org/2012/01/30/mozillaroots.html [2] https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004 [3] https://github.com/bagder/curl/commit/51f0b798fa572496c56db62dc3970e4ea0b2760c ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
